providers/implementations/kem/rsa_kem.c

   1 /*
   2  * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 /*
  11  * RSA low level APIs are deprecated for public use, but still ok for
  12  * internal use.
  13  */
  14 #include "internal/deprecated.h"
  15 #include "internal/nelem.h"
  16
  17 #include <openssl/crypto.h>
  18 #include <openssl/evp.h>
  19 #include <openssl/core_dispatch.h>
  20 #include <openssl/core_names.h>
  21 #include <openssl/rsa.h>
  22 #include <openssl/params.h>
  23 #include <openssl/err.h>
  24 #include "crypto/rsa.h"
  25 #include <openssl/proverr.h>
  26 #include "internal/nelem.h"
  27 #include "prov/provider_ctx.h"
  28 #include "prov/implementations.h"
  29 #include "prov/securitycheck.h"
  30
  31 static OSSL_FUNC_kem_newctx_fn rsakem_newctx;
  32 static OSSL_FUNC_kem_encapsulate_init_fn rsakem_encapsulate_init;
  33 static OSSL_FUNC_kem_encapsulate_fn rsakem_generate;
  34 static OSSL_FUNC_kem_decapsulate_init_fn rsakem_decapsulate_init;
  35 static OSSL_FUNC_kem_decapsulate_fn rsakem_recover;
  36 static OSSL_FUNC_kem_freectx_fn rsakem_freectx;
  37 static OSSL_FUNC_kem_dupctx_fn rsakem_dupctx;
  38 static OSSL_FUNC_kem_get_ctx_params_fn rsakem_get_ctx_params;
  39 static OSSL_FUNC_kem_gettable_ctx_params_fn rsakem_gettable_ctx_params;
  40 static OSSL_FUNC_kem_set_ctx_params_fn rsakem_set_ctx_params;
  41 static OSSL_FUNC_kem_settable_ctx_params_fn rsakem_settable_ctx_params;
  42
  43 /*
  44  * Only the KEM for RSASVE as defined in SP800-56b r2 is implemented
  45  * currently.
  46  */
  47 #define KEM_OP_UNDEFINED   -1
  48 #define KEM_OP_RSASVE       0
  49
  50 /*
  51  * What's passed as an actual key is defined by the KEYMGMT interface.
  52  * We happen to know that our KEYMGMT simply passes RSA structures, so
  53  * we use that here too.
  54  */
  55 typedef struct {
  56     OSSL_LIB_CTX *libctx;
  57     RSA *rsa;
  58     int op;
  59 } PROV_RSA_CTX;
  60
  61 static const OSSL_ITEM rsakem_opname_id_map[] = {
  62     { KEM_OP_RSASVE, OSSL_KEM_PARAM_OPERATION_RSASVE },
  63 };
  64
  65 static int name2id(const char *name, const OSSL_ITEM *map, size_t sz)
  66 {
  67     size_t i;
  68
  69     if (name == NULL)
  70         return -1;
  71
  72     for (i = 0; i < sz; ++i) {
  73         if (OPENSSL_strcasecmp(map[i].ptr, name) == 0)
  74             return map[i].id;
  75     }
  76     return -1;
  77 }
  78
  79 static int rsakem_opname2id(const char *name)
  80 {
  81     return name2id(name, rsakem_opname_id_map, OSSL_NELEM(rsakem_opname_id_map));
  82 }
  83
  84 static void *rsakem_newctx(void *provctx)
  85 {
  86     PROV_RSA_CTX *prsactx =  OPENSSL_zalloc(sizeof(PROV_RSA_CTX));
  87
  88     if (prsactx == NULL)
  89         return NULL;
  90     prsactx->libctx = PROV_LIBCTX_OF(provctx);
  91     prsactx->op = KEM_OP_UNDEFINED;
  92
  93     return prsactx;
  94 }
  95
  96 static void rsakem_freectx(void *vprsactx)
  97 {
  98     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
  99
 100     RSA_free(prsactx->rsa);
 101     OPENSSL_free(prsactx);
 102 }
 103
 104 static void *rsakem_dupctx(void *vprsactx)
 105 {
 106     PROV_RSA_CTX *srcctx = (PROV_RSA_CTX *)vprsactx;
 107     PROV_RSA_CTX *dstctx;
 108
 109     dstctx = OPENSSL_zalloc(sizeof(*srcctx));
 110     if (dstctx == NULL)
 111         return NULL;
 112
 113     *dstctx = *srcctx;
 114     if (dstctx->rsa != NULL && !RSA_up_ref(dstctx->rsa)) {
 115         OPENSSL_free(dstctx);
 116         return NULL;
 117     }
 118     return dstctx;
 119 }
 120
 121 static int rsakem_init(void *vprsactx, void *vrsa,
 122                        const OSSL_PARAM params[], int operation)
 123 {
 124     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 125
 126     if (prsactx == NULL || vrsa == NULL)
 127         return 0;
 128
 129     if (!ossl_rsa_check_key(prsactx->libctx, vrsa, operation))
 130         return 0;
 131
 132     if (!RSA_up_ref(vrsa))
 133         return 0;
 134     RSA_free(prsactx->rsa);
 135     prsactx->rsa = vrsa;
 136
 137     return rsakem_set_ctx_params(prsactx, params);
 138 }
 139
 140 static int rsakem_encapsulate_init(void *vprsactx, void *vrsa,
 141                                    const OSSL_PARAM params[])
 142 {
 143     return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE);
 144 }
 145
 146 static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
 147                                    const OSSL_PARAM params[])
 148 {
 149     return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE);
 150 }
 151
 152 static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
 153 {
 154     PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
 155
 156     return ctx != NULL;
 157 }
 158
 159 static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
 160     OSSL_PARAM_END
 161 };
 162
 163 static const OSSL_PARAM *rsakem_gettable_ctx_params(ossl_unused void *vprsactx,
 164                                                     ossl_unused void *provctx)
 165 {
 166     return known_gettable_rsakem_ctx_params;
 167 }
 168
 169 static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
 170 {
 171     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 172     const OSSL_PARAM *p;
 173     int op;
 174
 175     if (prsactx == NULL)
 176         return 0;
 177     if (params == NULL)
 178         return 1;
 179
 180
 181     p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);
 182     if (p != NULL) {
 183         if (p->data_type != OSSL_PARAM_UTF8_STRING)
 184             return 0;
 185         op = rsakem_opname2id(p->data);
 186         if (op < 0)
 187             return 0;
 188         prsactx->op = op;
 189     }
 190     return 1;
 191 }
 192
 193 static const OSSL_PARAM known_settable_rsakem_ctx_params[] = {
 194     OSSL_PARAM_utf8_string(OSSL_KEM_PARAM_OPERATION, NULL, 0),
 195     OSSL_PARAM_END
 196 };
 197
 198 static const OSSL_PARAM *rsakem_settable_ctx_params(ossl_unused void *vprsactx,
 199                                                     ossl_unused void *provctx)
 200 {
 201     return known_settable_rsakem_ctx_params;
 202 }
 203
 204 /*
 205  * NIST.SP.800-56Br2
 206  * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
 207  *
 208  * Generate a random in the range 1 < z < (n – 1)
 209  */
 210 static int rsasve_gen_rand_bytes(RSA *rsa_pub,
 211                                  unsigned char *out, int outlen)
 212 {
 213     int ret = 0;
 214     BN_CTX *bnctx;
 215     BIGNUM *z, *nminus3;
 216
 217     bnctx = BN_CTX_secure_new_ex(ossl_rsa_get0_libctx(rsa_pub));
 218     if (bnctx == NULL)
 219         return 0;
 220
 221     /*
 222      * Generate a random in the range 1 < z < (n – 1).
 223      * Since BN_priv_rand_range_ex() returns a value in range 0 <= r < max
 224      * We can achieve this by adding 2.. but then we need to subtract 3 from
 225      * the upper bound i.e: 2 + (0 <= r < (n - 3))
 226      */
 227     BN_CTX_start(bnctx);
 228     nminus3 = BN_CTX_get(bnctx);
 229     z = BN_CTX_get(bnctx);
 230     ret = (z != NULL
 231            && (BN_copy(nminus3, RSA_get0_n(rsa_pub)) != NULL)
 232            && BN_sub_word(nminus3, 3)
 233            && BN_priv_rand_range_ex(z, nminus3, 0, bnctx)
 234            && BN_add_word(z, 2)
 235            && (BN_bn2binpad(z, out, outlen) == outlen));
 236     BN_CTX_end(bnctx);
 237     BN_CTX_free(bnctx);
 238     return ret;
 239 }
 240
 241 /*
 242  * NIST.SP.800-56Br2
 243  * 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
 244  */
 245 static int rsasve_generate(PROV_RSA_CTX *prsactx,
 246                            unsigned char *out, size_t *outlen,
 247                            unsigned char *secret, size_t *secretlen)
 248 {
 249     int ret;
 250     size_t nlen;
 251
 252     /* Step (1): nlen = Ceil(len(n)/8) */
 253     nlen = RSA_size(prsactx->rsa);
 254
 255     if (out == NULL) {
 256         if (nlen == 0) {
 257             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
 258             return 0;
 259         }
 260         if (outlen == NULL && secretlen == NULL)
 261             return 0;
 262         if (outlen != NULL)
 263             *outlen = nlen;
 264         if (secretlen != NULL)
 265             *secretlen = nlen;
 266         return 1;
 267     }
 268     /*
 269      * Step (2): Generate a random byte string z of nlen bytes where
 270      *            1 < z < n - 1
 271      */
 272     if (!rsasve_gen_rand_bytes(prsactx->rsa, secret, nlen))
 273         return 0;
 274
 275     /* Step(3): out = RSAEP((n,e), z) */
 276     ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
 277     if (ret) {
 278         ret = 1;
 279         if (outlen != NULL)
 280             *outlen = nlen;
 281         if (secretlen != NULL)
 282             *secretlen = nlen;
 283     } else {
 284         OPENSSL_cleanse(secret, nlen);
 285     }
 286     return ret;
 287 }
 288
 289 /*
 290  * NIST.SP.800-56Br2
 291  * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
 292  */
 293 static int rsasve_recover(PROV_RSA_CTX *prsactx,
 294                           unsigned char *out, size_t *outlen,
 295                           const unsigned char *in, size_t inlen)
 296 {
 297     size_t nlen;
 298
 299     /* Step (1): get the byte length of n */
 300     nlen = RSA_size(prsactx->rsa);
 301
 302     if (out == NULL) {
 303         if (nlen == 0) {
 304             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
 305             return 0;
 306         }
 307         *outlen = nlen;
 308         return 1;
 309     }
 310
 311     /* Step (2): check the input ciphertext 'inlen' matches the nlen */
 312     if (inlen != nlen) {
 313         ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
 314         return 0;
 315     }
 316     /* Step (3): out = RSADP((n,d), in) */
 317     return (RSA_private_decrypt(inlen, in, out, prsactx->rsa, RSA_NO_PADDING) > 0);
 318 }
 319
 320 static int rsakem_generate(void *vprsactx, unsigned char *out, size_t *outlen,
 321                            unsigned char *secret, size_t *secretlen)
 322 {
 323     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 324
 325     switch (prsactx->op) {
 326         case KEM_OP_RSASVE:
 327             return rsasve_generate(prsactx, out, outlen, secret, secretlen);
 328         default:
 329             return -2;
 330     }
 331 }
 332
 333 static int rsakem_recover(void *vprsactx, unsigned char *out, size_t *outlen,
 334                           const unsigned char *in, size_t inlen)
 335 {
 336     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 337
 338     switch (prsactx->op) {
 339         case KEM_OP_RSASVE:
 340             return rsasve_recover(prsactx, out, outlen, in, inlen);
 341         default:
 342             return -2;
 343     }
 344 }
 345
 346 const OSSL_DISPATCH ossl_rsa_asym_kem_functions[] = {
 347     { OSSL_FUNC_KEM_NEWCTX, (void (*)(void))rsakem_newctx },
 348     { OSSL_FUNC_KEM_ENCAPSULATE_INIT,
 349       (void (*)(void))rsakem_encapsulate_init },
 350     { OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))rsakem_generate },
 351     { OSSL_FUNC_KEM_DECAPSULATE_INIT,
 352       (void (*)(void))rsakem_decapsulate_init },
 353     { OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))rsakem_recover },
 354     { OSSL_FUNC_KEM_FREECTX, (void (*)(void))rsakem_freectx },
 355     { OSSL_FUNC_KEM_DUPCTX, (void (*)(void))rsakem_dupctx },
 356     { OSSL_FUNC_KEM_GET_CTX_PARAMS,
 357       (void (*)(void))rsakem_get_ctx_params },
 358     { OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS,
 359       (void (*)(void))rsakem_gettable_ctx_params },
 360     { OSSL_FUNC_KEM_SET_CTX_PARAMS,
 361       (void (*)(void))rsakem_set_ctx_params },
 362     { OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,
 363       (void (*)(void))rsakem_settable_ctx_params },
 364     OSSL_DISPATCH_END
 365 };